This blog will outline how identity provisioning and authentication works in SAP S/4HANA Cloud, public edition (shortened S/4HC for the rest of the blog). I have provided the links to the existing documentation and/or blogs for further reading at the end of this post.
NOTE: The information in this blog is subject to change based on application functionality. I'll try to keep this blog updated accordingly. Updated in September 2023
Identity Provisioning covers the process(es) of how the identity (i.e. user) iscreated in the appropriate systems such as S/4HC and the Business Technology Platform (BTP). This is related to authorizations which determine what the user can do in the system (i.e. roles/permissions).
For automated cloud based identity provisioning, SAP offers SAP Cloud Identity Services - Identity Provisioning. For OnPremise applications, you may already be familiar with SAP Identity Management. The two products can be used together in hybrid landscapes however these products are not the focus of this blog.
Authentication is the process of identifying the user based on their credentials (username & password, SAML assertion, x.509 certification, etc). Authentication is the process by which the user gains access to the system. Ideally, users will authenticate once (for example, using their corporate Azure system) and use these credentials to be seamlessly signed in via single sign on (SSO) to other applications (in the case of SAML this application is known as a Service Provider).
SAP BTP and SAP S/4HANA Cloud Authentication
End users do not authenticate to S/4HC system directly. Instead, the BTP Identity & Authentication Service (IAS) is used for authentication to S/4HC and other SAP Cloud applications. The IAS has several key features including serving as a SAML Identity Provider (IdP), the ability to integrate with OnPrem user stores, serve as a proxy pass-through for a company's existing IdPs such as Azure and Okta and many more. Click here to learn more about the SAP Cloud Platform Identity Authentication SaaS offering.
What does all this mean forS/4HC systems? In short, S/4hC is a service provider and uses the BTP IAS as an IdP. Users authenticate to IAS and are signed into the S/4HC system via SSO using a SAML Assertion. They do not authenticate directly to S/4HC interactively with username & password. Business users in S/4HC have no passwords associated with them.
Using IAS as the IdP provides a scalable approach for integrating multiple cloud applications, such as BTP apps and other SAP Cloud apps. For example, a customer could also provide SSO to a SuccessFactors system and SAP S/4HANA Cloud as shown in Figure 1.
S/4HANA Cloud, public edition authentication architecture
As you may have already guessed, this means that a user principal needs to be in both SAP Cloud Platform user store and in the SAP S/4HANA Cloud system.
Identity Provisioning in SAP S/4HC
To grant a user access the system there are essentially 3 steps:
Create business users in the S/4HANA Cloud system
Assign the users to business roles in the S/4HANA Cloud system
Create user in the SAP Cloud Identity system (not needed if integrating IAS with existing IdP).
SAP provides several options for user provisioning into both the S/4HANA Cloud system and BTP IAS. In S/4HC, the Manage Workforce app is used to create users in S/4HC.
Manually create the users in S/4HC using the Manage Workforce app
Batch upload the users using provided templates
Automate the user replication using delivered integrations on BTP Integration Suite with SAP and non-SAP systems such as SuccessFactors and Workday or create a custom integration using delivered APIs on S/4HC and BTP.
Also, IAS has conditional authentication and can be configured with different rules based on which user is accessing or from where they are accessing the system.
As a quick note, the User Name in the S/4HANA Cloud system must match the Login Name in the IAS. S/4HC comes with a non-prod and prod IAS, so users in non-prod will typically access the Starter, DEV and Test S/4HC tenants using the same IAS and/or credentials.